Auth0 Integrates Identity Into Authentication – Interview
Auth0, a platform for modern identity authentication, recently announced its Series A funding to help augment the firm’s current team of approximately 50 people who support its growing subscriber base. The company has seen revenue growth of 20-30% month-over-month for the past year.
The company strives to make it easy for developers to implement even the most complex authentication and authorization solutions for its web, mobile and internal applications, APIs, and IoT devices.
Among Auth0’s clients are JetPrivilege, HarperCollins Publishing, Schneider Electric, Berkshire Hathaway Travel Protection and Time Warner’s TMZ. For Auth0 CEO Jon Gelsey, identity is the new firewall.
“In a world where virtually every device and application either already does or aspires to connect to the Internet and to other devices and applications, the old paradigm of a firewall providing data protection at the perimeter no longer works,” Gelsey told Hacked.
“There is no perimeter because devices are connected everywhere. Instead, the best practice today is for every application, API and IoT device to assume it’s in a hostile environment and to handle its own security.” For Auth0, security starts with strong identity.
“If you are absolutely certain of the identity of a person or machine accessing your data or imputing commands, such as ‘turn the AC on in the house at 4pm’ or ‘show me my infant’s sleeping patterns’, by definition you’ve stopped hackers,” Gelsey said.
“‘Absolute certainty’ is a difficult bar to reach, though, so the goal is to be as certain as possible regarding identity,” he added.
To achieve this, one must always employ the best practices for authenticating and authorizing users with multiple factors of authentication, as well as being up to date on the latest vulnerabilities.
“That means employing best practices for authenticating and authorizing users, using multiple factors of authentication, and being always up to date on the latest vulnerabilities,” he added.
With Auth0, developers don’t need deep vertical experience across authorization, authentication, identity management and security applications. They can quickly secure applications and APIs by adding just a few lines of code, provided by Auth0, regardless of the complexity of the identity environment.
“We make it easy for developers building IoT connected applications to implement strong identity security as an important first step to ensuring user protection and ultimately a great user experience for their product,” Gelsey said. Coverage of the Internet of Things often highlights the negative possibilities for the technology. Gelsey is excited about the positives.
“The coolest part of IoT is that I can virtualize expensive smarts – say, the CPU capacity to run sophisticated machine learning code on a multi-petabyte database – from the IoT device into the cloud, where it can be a shared resource and hence much cheaper,” Gelsey told Hacked. “While an unconnected device – say a thermostat – is fairly dumb when unconnected, it can be very smart when connected and without the cost going up materially.” This means we can all have very smart devices that make our lives easier.
Also read: Risky Business: the Internet of Things (IoT)
“Because the IoT devices can communicate, they can figure out more about their environment and do smarter and more convenient things because they have better data – data that would have been too expensive to collect before,” Gelsey reasoned. “For example, my car can automatically brake because it is told by a car ten cars ahead of me that it had to brake. This saves me from slamming on the brakes at the last second, therefore making driving safer.” Gelsey sees the IoT everywhere he looks, including in entertainment new and old.
“The concept of devices and apps connecting with one another is certainly not new – the Jetsons are maybe an obvious, earlier example of this,” Gelsey recalls. “More recently we can see instances in almost every TV show and movie that’s made today. Fox’s Fringe showcased an alternate universe with technology slightly more advanced than our own, and crime shows like CBS’s CSI regularly feature technology that isn’t yet available to most real law enforcement agencies.” Tiny voice and touch-activated wearable smartphones and helicopters that run solely on autopilot are not where IoT ends for Gelsey.
“I like the various bots in Neal Stephenson’s Seveneves – each one fairly stupid on its own, but when all work together they become enormously valuable contributors to saving the human race,” he told Hacked. Gelsey believes that IoT will particularly change the lives of developers.
“The biggest change will be thinking about how to take advantage of all this really cool, really cheap sensor data and how humans can interact with devices without traditional UX’s like keyboards, screens, and so on,” he predicted. “As well as, of course, spurring new product and service ideas that billion-dollar new companies will be built upon.” In Gelsey’s opinion, developers will have to be careful when navigating new frontiers.
“To borrow words from the recent movie, Jurassic World, ‘The park needs a new attraction every few years to reinvigorate the public’s interest, kind of like the space program. Corporate felt genetic modification would up the ‘wow’ factor,’” Gelsey paraphrased.
“If you’re not familiar with the premise of the movie, they’re talking about having ‘built’ a genetically modified dinosaur – one who was bigger, scarier and more dangerous than any dinosaur that ever existed in nature – in order to satisfy the ever-growing demands of the park audience. The concept – not as extreme, of course – can be applied to the demand for IoT connectivity today.” That developers are under pressure to build new and exciting things and get them to market quickly leads many to cut corners on security.
“With the prevalence of recent high-profile hacks, and the even more recent Jeep hacking experiment, it’s clear that developers are sometimes taking shortcuts in security to ship faster,” Gelsey observed. “The challenge here will be to ship fast without sacrificing security.” And that’s where Auth0 comes in
“By simplifying identity within an enterprise – something Auth0 can help developers do in days or weeks instead of months – developers can more easily identify and secure those areas that would have been most vulnerable,” he said. For Gelsey, it’s like Adam Smith’s “comparative advantage” in Wealth of Nations.
“Why try to grow wine grapes in Ecuador when you can grow pineapples more easily, and then trade those pineapples?” he said. “You get paid more for your core competencies, so why spend time and lose money doing something that’s not a core competency?” Auth0 strives to keep clients out of the authentication business, so their clients can focus on their business’ true value.
“Authentication is complex and, if done incorrectly, has big security costs, so unless your business is to be an authentication and authorization provider, why would it ever be worth your time to do it yourself?” Authentication has changed in the past ten years.
“Authentication has grown much more complex because there are many more sources of identity now than there were ten years ago,” Gelsey told Hacked. “And the hacking community has become much more sophisticated, especially with the advent of state-sponsored cyberattacks.” There are many advantages for nation-states to enter the hacking game.
“Many countries have recognized that cyber warfare is a less expensive and less risky way to accomplish national aims that previously were only achievable through military force,” Gelsey said.
“And, of course, criminal hacking gangs have seen what nation-states can accomplish and are actively working to emulate them. Strong identity security is the first step in defending against sophisticated attacks.” Auth0 recently launched Auth0 Europe. The company chose this direction for a simple reason: to meet demand.
“The EU has different privacy and data protection regulations than the US, and countries like Germany have further augmented EU rules,” Gelsey told Hacked. “While we have always been fully compliant with the regulations of every country we do business in, it provided additional peace-of-mind for European customers to know their version of Auth0 was inside EU and even German borders.” For the modern entrepreneur, Gelsey stressed, authentication is critical.
“If people can’t login to your web or mobile app, API or IoT device, they can’t do anything else,” he said. “And on the enterprise side, if employees can’t access the systems and data they need to do their jobs, you don’t have a business.” For Gelsey, authentication and authorization are the very first building blocks you need to start a business.
“Aside from the basic ability to login, you’ll also want to know who’s accessing your product or stored data,” the CEO said. “Without being able to measure and understand customer behavior you can’t hope to build and maintain a product that will survive to meet customer demands.”
Once a business implements authentication, the work is just beginning. That company will need to maintain proper authentication and authorization amid ever-changing technology and security protocols, a challenging and time consuming, endeavor. Amid the change, What trends should developers keep their eyes on?
“The megatrend, of course, is that apps and APIs are assembled, not written,” Gelsey said. “That’s a bit of hyperbole because there is a lot of skilled software engineering being done every day, but the advent of cloud infrastructure services means those developers can ‘stand on the shoulders of giants’ and build more amazing things incredibly quickly.” Gelsey believes in the future strong identity security becomes simpler.
“In the same way that no one today thinks about networking for their app – because it’s a given that an IP connection is ‘just there’ – we see a not-so-distant future where authentication is ‘just there.’ Developers will no longer have to worry about identity and security for their applications, API’s, and IoT devices.”
Images from Shutterstock and author.